At the second annual NVTC Capital Cybersecurity Summit, I was privileged to moderate an amazing panel discussion on “The State of Cloud Security and Compliance: Dispelling the Myth of Cloud Insecurity.”

What made it so amazing were the panelists who represented the “Big 3” of cloud providers: Susie Adams, Chief Technology Officer, Microsoft Federal; Matthew O’Connor, Security Program Manager for Google Cloud Platform, Google; and Doug Van Dyke, General Manager, Public Sector, Amazon Web Services.

Yes, these three companies are in fierce competition – but, they are also passionate advocates of cloud computing and how it can benefit public and private sector enterprises. That passion really showed throughout our wide-ranging conversation.

During the discussion, the panelists shared why federal agencies, which have been slower than the private sector in adopting cloud computing, despite its advantages in terms of security, cost-effectiveness and capabilities, are now finally picking up the pace on cloud adoption. Our panel noted that NIST Special Publication 800-171, with its emphasis on a common language, has increasingly helped decision-makers better understand the security standards required to operate in the cloud and thus enabled them to make more informed decisions.

Susie Adams of Microsoft stated that “The security paradigm has changed,” because “we are no longer just protecting assets that live behind our firewall…there is now a virtual edge you need to protect.” She added that “Identity is the new firewall, and devices are the new edge.” Another key point Susie made was that, “We are going to need to learn to protect data no matter where it is. If you can make that paradigm shift in your head, then you clearly see cloud providers can give you capabilities you didn’t have before.” I responded by noting that automation is key…it takes the work out of the manual security compliance process and puts it in the hands of the systems.

Currently, some 80 percent of federal IT spending is devoted to maintenance, often of outdated legacy IT systems, which is a massive information security risk. This is compared to 20-something percent for maintenance in much of the commercial sector, where businesses have much more readily adopted the cloud and other such innovative technologies. In our discussion on that issue, Doug Van Dyke of AWS observed that “There is a risk in not adopting these new technologies.” So if enterprises truly want to minimize risk, the cloud should be a means to do so. Susie Adams added that if agencies (and others) are not protecting their infrastructure, they are going to have a breach, and that is “why it’s important for the federal government to take advantage and invest in this new technology.”

Asked to identify what might impede or slow down cloud adoption, Google’s Matt O’Connor named two things – a massive breach that could lead to a more cautious posture vis-à-vis the cloud, and overly burdensome regulation, particularly by other nations. He stressed that governments around the world need to collaborate with, not dictate to, the private sector.

We had a very lively discussion on the responsibilities of customers hosting in the cloud environment. Doug Van Dyke said it is wrong for users to assume that security is someone else’s responsibility in the cloud, which he tied back to educating users. Matt O’Connor summed it up by saying that, in a shared security model, enterprises can look at their cloud security provider as a force multiplier and they should take advantage of what cloud providers have put in place, but they should not neglect their own responsibilities.

We concluded our session with a number of excellent questions from attendees, and Doug Van Dyke summed up the entire discussion best by saying we should mark this date, because we had AWS, Microsoft and Google “all in violent agreement” over the advantages of cloud computing and the need for continued focus on state of cloud security and compliance.

I agreed with that conclusion – to have business rivals all on the same page is memorable. But cloud security and compliance should be an area where there is strong consensus because they are now so intertwined. And I also believe cloud security providers should explore additional methods to further automate security and compliance processes for their customers.

Here’s a link to the entire session (see video below also). I highly recommend it to anyone exploring a move to the cloud who may have some lingering hesitation. It will be worth your while.

Share and Enjoy

Telos Corporation CEO and Chairman of the Board John Wood addresses cloud security in his new guest blog. Wood will be moderating the State of Cloud Security and Compliance panel at the Capital Cybersecurity Summit on Nov. 14-15 at The Ritz-Carlton, Tysons Corner.

It’s not exactly clear when the term “cloud” was first used to describe shared pools for configurable IT resources. However, it’s safe to say that it started creeping into our lexicon less than ten years ago.

Back then, the official definition of cloud was even less clear than it is today. Regardless of what the cloud actually was, this mysterious cloud entity was widely assumed to be unsafe.

That said, even from the beginning, I saw that the cloud offered many security advantages, especially to smaller companies that couldn’t afford to make infrastructure investments and hire many highly-skilled staff to manage complex IT systems in their own on-premises data centers. Still, doubts about cloud security swirled.

But in 2014, a crazy thing happened. Defying conventional wisdom, the CIA, arguably the most security conscious organization in the world, announced their plan to work with Amazon Web Services (AWS) to adopt commercial cloud services. Shortly thereafter, C2S was born.

Even though countless other agencies had already adopted the cloud by 2014 – the CIA and C2S gave the cloud instant credibility. It made federal agencies and highly-regulated commercial organizations realize that if cloud technology is good enough, and secure enough for the CIA, then it must be secure enough for them. Granted, the C2S is an isolated environment, it was noteworthy that CIA made the often trumpeted “cloud first” policy a reality.

AWS recognized early on that security was important to ensure continued, widespread adoption of cloud services. For this purpose they introduced a shared responsibility model to help explain the security benefits you derive simply by hosting your workloads within AWS. Under this model, the customer is responsible for security in the cloud, and AWS is responsible for security of the cloud.

Not only does this shared responsibility model help address a number of security questions, especially in the areas of infrastructure and physical security, it also helps clients demonstrate compliance requirements more quickly and efficiently, because they can inherit results directly from AWS.

AWS certainly isn’t the only cloud service provider (CSP) in the game – Azure and Google also understand how important the message of cloud security and compliance is to drive further cloud adoption.

Despite all of this it is essential for organizations to understand the potential security pitfalls of cloud adoption. It’s essential to know where your cloud service provider responsibility stops and customer responsibility starts. There have been a number of recent breaches resulting from unsecured cloud-based database deployments. Customers need to understand, and take seriously, their responsibility in protecting their systems, their applications and their data.

The cloud has come a long way over the last ten years. Much progress has been made to enhance security and promote these security and compliance benefits. However, there is still work to be done to address lingering security concerns, questions and perceptions to help drive even broader adoption of cloud services.

If you’d like to hear what CSPs have to say about the myth of cloud insecurity, join me on Wednesday, November 15 at NVTC’s Capital Cybersecurity Summit. I will be moderating a panel that will discuss the current state of cloud security and compliance, featuring prominent voices from the big three cloud providers: Google, Microsoft and AWS. I hope to see you there!

Share and Enjoy

Is your organization considering a transition to the cloud? Or is your company already making the switch? You’ll want to read this new guest blog post by Tom Tapley, senior consultant in the Systems Development group at LMI.

Every technology wave requires people to develop new skill sets. Tomorrow’s job titles have not been invented yet. So when a government agency decides to move computing to the cloud, it sets off a chain reaction of changes for everyone in that agency who works with technology. “Moving to the cloud” may sound like a technology project, but it is just as much about training people.

In many agencies, teams of people procure and maintain servers, routers, switches and related hardware. These employees are experts in making machines run smoothly, quickly and reliably. Days are spent physically configuring servers in data centers.

With cloud computing, hands-on skill sets are no longer needed; they become the responsibility of cloud service providers. The servers, racks, and air-conditioned space, which may have been in government properties, will be empty and the space repurposed.

Now agency employees need training to monitor and manage the cloud, using scripts rather than screwdrivers. In the past, there may have been a division between those who coded and those who ran server operations. Those roles are becoming more and more integrated.

Planning for Migration with a Cloud Adoption Framework

A government agency may better prepare for cloud migration by spending more time planning. LMI has developed a Cloud Adoption Framework with four steps: Decide, Prepare, Implement, and Improve. The phase that most often is overlooked is Prepare, and it’s not difficult to see the difficulties that arise when this happens.

Signs an Agency Has Skipped Planning

Here are signs an agency needs to spend more time preparing before engaging in cloud projects:

An agency only hires vendors who migrate data. Many cloud vendors have refined the process of migrating data and applications efficiently. However, if they don’t bring any expertise in enterprise architecture, they may just be moving data and applications in a piecemeal fashion, which creates system lag times as connections become more tenuous (some hosted onsite, while others are hosted in the cloud).

No clear path for cloud migration. In 2010, a Cloud First policy was announced for the federal government. Many agencies tackled easier migration projects, such as switching to Google Mail. After that, they were stuck. They didn’t have a clear idea of what to migrate next and had no model for evaluating what to move or how to gauge the impact of moving different IT assets.

Employee resistance. If employees fear their jobs will change or be eliminated, it is possible they will not provide the most accurate information about the necessity or benefits of the cloud. However, if it is clear employees will be supported as they shift to a new model, it is far more likely they will become allies in efforts to eliminate inefficiencies.

Cloud Migration Improves IT Roles

Managing how employee skill sets will change often is not part of cloud migration planning at the enterprise level. But if employees are engaged in a change management process and it is clearly communicated how cloud will make their work more satisfying, the agency accrues major benefits.

Increased agility: In the past, a sudden need for increased processing power kicked off a complicated procurement process, which involved getting buy-in for budgets, as well as provisioning and cloning servers. With cloud computing, the employee runs a script to create one or a thousand new servers. If the need for increased power lasts for a short time, the employee just reduces requests for cloud services. No more physical servers take up space.

Less time spent on overextended systems: Most government agencies have systems running on old technology (they may even have code from the time of mainframes). Old code is wrapped in newer code, like a ball of yarn, and new systems are interacting with it. A team might want to migrate one piece to the cloud, but first must disentangle all the pieces. A project manager might estimate a cloud migration costs $25 million only to find that it is so interconnected with other systems that the true cost of the project is more like $100 million. It is critical agencies pull in employee expertise to gain a comprehensive view of systems to ensure cost effective cloud migrations. Employees often know what not to migrate, what should be shut down, and what needs to be built afresh. Most importantly, with cloud services they may focus on building new and strong applications, instead of maintaining outdated ones.

More in-demand skills: Learning how to manage the cloud has huge benefit for employees, since cloud-related skills are in high demand. But if agencies skip the workforce analysis piece and do not cultivate their workforce to take over cloud management, sooner or later they will find they cannot afford to hire new people with necessary IT skills.

Tom Tapley is a senior consultant in LMI’s Systems Development group. Since joining LMI in 1998, he has performed work for several clients including the U.S. Postal Service, GSA Public Buildings Service, GSA Federal Technology Service, U.S. Army and Defense Logistics Agency. Tapley came to LMI after nine years with the Maryland Department of the Environment, where he managed the department’s Geographic Information System and Computer Modeling Division. Tapley has an M.S .in computer systems management from the University of Maryland University College and a B.S. and M.S. from the University of Florida in physical geography.

To learn more about cloud strategy, planning, and workforce readiness, please email ttapley@lmi.org.

Share and Enjoy

Interested in transitioning to the cloud? Wondering where to start? Then you’ll want to read this NVTC member guest blog from LeaseWeb’s Julia Gortinskaya first to get prepared for your cloud transition.

From both a business and an IT perspective, migrating to the cloud can be a good option for many businesses. But, it’s not something that can be done without the right research and preparation. If you want to be successful when migrating to the cloud, you need open communication with both your own team and hosting provider, as well as a clearly defined cloud migration strategy that is connected to your business needs. What follow are five tips to help you get started:

1. Share your roadmap

Setting goals is everything. Your goals for migrating to the cloud should be closely connected to your business goals. How fast do you want to grow (i.e. how scalable does your technology need to be)? Who in your organization needs what functionality in order to reach which goal?

Select a cloud partner who is open to discussion about your roadmap and its implementation. Together you can create a technology roadmap that best supports your ambitions. Ideally, your cloud partner is a trusted advisor who shares his or her expertise with you. Keeping in close contact with your partner and sharing the load will also enable you to divide tasks between you: while your cloud provider focuses on hosting a cloud platform and making sure your servers are up-and-running, you will be able to concentrate on creating more value for your customers.

The value of leveraging a third party can only be achieved when both sides understand their responsibilities and expectations. This means communication between you and your partner should be one of your top priorities.

2. Check certifications and compliance statements

Security and compliance are enablers, not obstacles. When migrating to the cloud, it is important to know in advance which certifications your cloud partner has, what exactly is covered and the independent auditor monitoring process. For instance, privacy and compliance certifications are necessary for organizations supporting compliant workloads.

Since security and compliance are shared responsibilities between you and your cloud provider, and perhaps other third parties as well, you’ll likely be able to benefit from the certifications your cloud provider already has in place. If your enterprise data is stored on servers in a datacenter owned by your cloud provider, the physical security of the datacenter is the cloud partner’s responsibility.

Make sure to find answers to questions such as ‘who has access to my data?’, ‘where is my data stored geographically?’ and ‘what are the export restrictions?’ You may prefer to store data in a specific region, but may also be bound to a location by customer contracts and/or privacy laws.

And don’t forget, certifications and regulations evolve over time. Cloud providers should follow developments closely and advise on any action you need to take. While you may not want to come across as suspicious, you should ask your partner to deliver proof of any certifications.

3. Look for a partner who can scale quickly

When migrating to the cloud, there are different options and delivery models for specific workloads: private, public, hybrid, hyper-scale, on premise and off-premise. New ones are developed at a rapid pace. Explore the options (and the degree of service, the security and the expected costs) that are available for your needs.

Whichever partner you choose, select one that can act the moment you need to scale quickly. If your business requires you to add server capacity either temporarily or for a longer period, your partner should be able to provide the flexibility and speed that you need.

4. Train your people before, during and after

Most cloud projects require a different set of skills from your IT staff to implement and manage workloads (e.g. APIs, open source platforms).Traditional skill sets in server, network and desktop administration are not needed in a cloud environment as they are embedded in the service. In most instances, re-skilling employees in more DevOps centric areas can be wise.

Instead of acquiring engineering skills, your IT staff will have to learn to think more as a cloud architect (which will probably be more challenging than being an administrator anyway). And since tactical day-to-day support is managed by your cloud partner, IT staff should spend more time developing and delivering services and applications that demonstrate direct value to the business.

5. Consider changes in architecture

We have come a long way from ‘one server for one service.’ Cloud computing changes the way applications are deployed and resources are delivered. Your current architecture might work in the cloud, but may also need some changes. Some applications can be migrated to the cloud, while others might require adaptation, such as the decoupling of data. You might also benefit from taking a more service-oriented approach, from cloud services delivered through API’s. Try to design an architecture that will give you full advantage of native cloud features.

You can download the full checklist “10 Do’s and Don’ts When Migrating to the cloud” here.